Background information
- Date of final decision: 22 July 2024
- Cross-border case
One-Stop-Shop Procedure: the decision was taken by national supervisory authorities following the One-Stop-Shop cooperation procedure (OSS). - Netherlands
- and CSAs: All SAs, except for Bulgaria, Cyprus, Iceland, Latvia, Liechtenstein, Luxembourg and Slovenia.
- Legal Reference(s): Article 44 (General principle for transfers), Article 46 (Transfers by way of appropriate safeguards), Article 49 (Derogations for specific situations)
- Decision: Administrative fine
- Key words: Administrative fine, International transfer, Third party access to personal data
Summary of the Decision
Origin of the case
The Dutch Supervisory Authority (SA) started the investigation on Uber after more than 170 French Uber drivers complained to the French human rights interest group the Ligue des droits de l’Homme (LDH), which subsequently submitted a complaint to the French SA. The French SA forwarded the complaints to the Dutch SA, which is the Lead Supervisory Authority for Uber.
Key Findings
The Dutch SA found that Uber collected, among other things, sensitive information of drivers from Europe and retained it on servers in the US. It concerns account details and taxi licences, but also location data, photos, payment details, identity documents, and even in some cases criminal and medical data of the drivers.
For a period of over two years, Uber transferred those data to Uber's headquarters in the US, without using transfer tools. Because of this, the protection of personal data was not sufficient. The Court of Justice of the EU invalidated the Privacy Shield in 2020. According to the Court, Standard Contractual Clauses could still provide a valid basis for transferring data to countries outside the EU, but only if an equivalent level of protection can be guaranteed in practice. Because Uber no longer used Standard Contractual Clauses from August 2021, the data of drivers from the EU were insufficiently protected, according to the Dutch SA. Since the end of last year, Uber uses the successor to the Privacy Shield.
Decision
The Dutch SA imposed a fine of 290 million euros on Uber.
For further information:
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.